Fiserv, a multi-billion-dollar cybersecurity tech provider for financial institutions, forgot to buy the domain used as a default in their systems’ email communications, according to a report.
The blunder could have exposed its clients’ user information to anyone with a few bucks to buy the domain – However, before that could happen, researcher Abraham Vegh came across the error last November.
In a recent KrebsOnSecurity report, Vegh explained he received an email from his bank, which included the domain, defaultinstitution.com. He searched and realized it wasn’t registered, bought it and linked it to an email address to see what would come in.
Krebs reported, Vegh received bounced messages from Fiserv users, including money transfer service Cashedge.com, which was trying to inform its customers it was switching to Zelle as their primary service. These included emails with IDs, transfer amounts and dates, the last four account digits of the sender and email address of the recipient, Vegh explained to KrebsOnSecurity.
Fiserv Default Domain
The bottom of the emails included this statement, “This email was sent to [recipient name here]. If you have received this email in error, please send an e-mail to firstname.lastname@example.org,” Krebs reported.
“It appears that the domain is provided as a default, and customer bank IT departments are either assuming they don’t need to change it, or are not aware that they could/should,” Vegh told Krebs.
Fiserv customer Netspend.com, provider of pre-paid debit cards, also showed up in Vegh’s “defaultinsitution” inbox, along with TCF National Bank, Union Bank and others, filled with personal user information.
Shortly thereafter, on Feb. 26, Krebs said Vegh stopped “defaultinstitution” emails.
Fiserv Acknowledges Error
Fiserv acknowledged the incident in statement provided to Threatpost.
“Upon being made aware of the situation we immediately conducted an analysis to locate and replace instances of the placeholder domain name,” the statement said. “We also notified the clients whose customers received these emails.”
Fiserv said it has since purchased the default domain, obtained the emails and are working to notify affected users.
“We will no longer use placeholder domain names that include non-Fiserv owned domains,” the statement added.
Dirk Schrader global vice president at New Net Technologies, told Threatpost the exposed data could have been used in socially engineered business email compromise-type scams.
“Fiserv has screwed up on a basic cyber security requirement for financial institutions, Schrader said. “Using an unregistered domain opens the door for phishing and for a lot of other attack vectors. Someone in Fiserv must have thought that ‘defaultinstitution’ is self-explanatory and everyone will change that entry, so the company has left it to pure luck.”
Schrader added fintech companies need to fully control and secure communications, adding, “this was a wide-open door for disaster and financial loss for Fiserv’s customers.”
Cyberattacks ‘Unlikely’ Resulting from Domain Error
Default settings and configurations often provide happy hunting grounds for threat actors, according to Ivan Righi, an analyst with Digital Shadows.
“Cybercriminals frequently use default passwords to gain access to target accounts and services,” Righi told Threatpost. “In this instance, the company used a default domain as a placeholder in its software solutions. Thankfully, as a researcher discovered the security issue, it is unlikely that the incident will lead to any cyber-attacks on customers.”
Vegh, for his part, told Krebs he was happy to hand the domain over to Fiserv, but added, maybe a t-shirt would be an appropriate prize for the bug report.
“Overall, I’m pleased with the outcome here,” Vegh told Threatpost. “I think Fiserv has learned from this, and I hope other companies large and small can learn this most simplest of lessons: always control domain names you use, even if it’s ‘just for development purposes.’ After talking with Fiserv, they made me a very reasonable offer to purchase the domain, which is way more than I was expecting for my efforts, and I was happy to accept and transfer the domain to them, closing the door on my involvement with it.”